Mixed Mining Arts? UFC Website Removes Malicious Crypto Code

It's the latest large site seen to be running up site visitors CPU to crank out cryptocurrency.

AccessTimeIconNov 7, 2017 at 8:00 p.m. UTC
Updated Sep 13, 2021 at 7:08 a.m. UTC

A subscription streaming site owned by mixed martial-arts powerhouse Ultimate Fighting Championship (UFC) is at the center of the latest controversy around clandestine, browser-based cryptocurrency mining.

Multiple users on social media reported yesterday that code developed by Coinhive – a monero mining script that can be embedded in a web page – was found in the code on the UFC's Fight Pass streaming site. It's unclear at this time where the code was sourced from, and a customer support staffer for UFC told a user that "we take these matters very seriously, and will review this."

“Immediately upon learning of the reported issue, Neulion, UFC’s over-the-top digital service provider, reviewed the UFC.TV/FIGHTPASS site code and did not find any reference to the mentioned Coinhive java script," A UFC spokesperson wrote in a statement to CoinDesk, subsequent to publication. "We are continuing to review the available information and feel confident that there are no coding issues across the site at this time.”

But Reddit users contend they found lines of code for Coinhive's mining script in the HTML for the page, as shown in two different screengrabs shared to Imgur.

The software was also spotted running by several users, included one who later flagged it onon Twitter. After one reddit user emailed UFC support about it, he got a response saying that they were looking into it. The attention that the situation attracted appears to have spurred UFC to action, as the script was ultimately removed, according to another post.

None of the screencaptures on the Internet Archive from yesterday show the script in the source code on UFC.com, but the captures from yesterday were made after these reports started coming out.

The move represents the latest instance in which a well-known site played unwitting host to the Coinhive script, which utilizes a user's computer capacity to mine the privacy-oriented cryptocurrency monero.

Subsequent to publication, Coinhive emailed CoinDesk to say that since none of the screenshots included the site key, it couldn't give any information on how much had been mined or if it had happened. "For what it's worth, we didn't notice any new 'top user' in our internal site wide dashboard. So the miner was either removed quickly again or didn't affect a lot of endusers," the company wrote in a statement. "Just for the record, we have a strict policy against using our service on 'hacked' sites and will terminate accounts that violate our terms of service, as soon as we're notified of them."

A streaming service run by Showtime previously found Coinhive code running on its sites, and web security firm Cloudflare has expressed its intent to crack down on sites that add mining software to sites without first notifying users.

This story has been updated with comment from Coinhive and UFC.

Correction: A previous version of this article inaccurately stated that CoinDesk has been in contact with UFC.

UFC fighter Vitor Belfort via Shutterstock.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

Learn more about Consensus 2024, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.

Read more about